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Introduction 


In  November  1986  the  people  of  Montana  passed  Legislative 
Referendum  100  establishing  a  state  lottery.    Lottery  ticket  sales 
began  on  June  24,  1987  with  an  instant  scratch  game  being  the 
first  lottery  game  offered  to  the  public.   The  Lottery  has  since 
increased  the  number  of  lottery  games  by  adding  two  on-line 
lotto  games:  Lotto*America  and  Montana  Cash.    Ticket  sales  for 
Lotto*America  began  in  November  1989  and  Montana  Cash 
began  in  May  1991. 


Section  23-5-1029,  MCA,  requires  the  Legislative  Auditor  to 
perform  a  comprehensive  security  audit  every  two  years  on  all 
aspects  of  Montana  Lottery  operations.    This  is  the  second 
security  audit  completed  since  the  inception  of  the  Lottery  in 
1987.    The  first  audit  was  completed  in  1989. 

Lottery  management  has  made  a  good  effort  to  establish  and 
maintain  security  over  Lottery  operations.    Areas  with  sufficient 
security  include:    the  Lottery  building;  delivery  of  tickets; 
inventory  and  storage  procedures;  on-line  game  terminals; 
destruction  of  unsold  instant  tickets;  validation  of  winning 
tickets;  and  background  investigations  for  retailers. 

This  audit  also  identified  areas  where  the  Lottery  can  improve 
security.    The  following  sections  summarize  the  results  of  our 
performance  audit. 


Security  Procedures 


As  part  of  our  audit,  we  examined  the  Lottery's  procedures  for 
background  investigation  of  Lottery  personnel  and  security 
controls  over  the  Lottery's  computer  system.    We  noted  several 
weaknesses  relative  to  the  Lottery's  procedures  for  investigating 
Lottery  personnel  prior  to  their  employment  with  the  Lottery. 


Establish  An  Adequate 
Fingerprinting  System 


Section  23-5-1019,  MCA,  requires  all  employees  to  submit  a  full 
set  of  fingerprints  to  the  Lottery.    In  addition.  Lottery  security 
policies  and  procedures  indicate  fingerprints  are  to  be  classified 
by  the  Identification  Bureau  at  the  Department  of  Justice  and 
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by  the  FBI.    We  found  fingerprints  had  not  been  obtained 
and/or  classified  for  all  Lottery  employees. 

We  recommend  the  Lottery  comply  with  statutory  and  internal 
security  policies  for  obtaining  and  classifying  employee 
fingerprints. 


Document  Information 
Obtained  During  Back- 
ground Investigations 


During  our  review  of  employee  security  files  we  noted  several 
files  did  not  contain  documentation  signifying  complete 
background  investigations  were  done.    To  provide  necessary 
information  on  employee  backgrounds,  security  files  should 
contain  documentation  of  all  information  obtained  during  a 
background  investigation.    We  recommend  the  Lottery  document 
all  information  obtained  during  employee  background 
investigations. 


Physical  and  Environ- 
mental Computer  Controls 


Physical  and  environmental  controls  protect  computer  hardware 
and  software  from  theft,  accidental  destruction,  power 
fluctuations,  heat,  water,  dirt,  and  other  exposures.    Weaknesses 
in  these  controls  unnecessarily  expose  the  Lottery  to  risk  of 
interruption  of  critical  computer  operations.    We  identified 
several  areas  where  the  Lottery  could  improve  physical  and 
environmental  controls. 


Access  to  Documentation 
Should  Be  Controlled 


We  reviewed  the  physical  security  controls  governing  access  to 
the  Lottery's  computer  system  documentation.    We  found 
employees  can  obtain  user,  program,  and  technical  system 
documentation  due  to  its  location.    Access  to  system 
documentation  should  be  controlled.    The  potential  exists  for 
unauthorized  information  to  be  obtained  which  could  be  used  to 
compromise  the  security  of  the  Stratus  computer  system.    We 
recommend  the  Lottery  control  access  to  program  and  technical 
documentation  for  the  Stratus  computer  system. 


Maintain  Water  Detection 
Device  in  Computer  Room 


During  our  observations  of  the  Lottery  computer  room,  we 
noted  there  was  no  early  warning  water  detection  device.    The 
location  of  water  pipes  relative  to  the  computer  system  makes 
Lottery  operations  vulnerable  to  disruption.    However,  prior  to 
completion  of  the  audit,  the  Lottery  installed  water  sensors  on 
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the  computer  room  floor.   Such  controls  could  help  prevent 
disasters  from  occurring  and  minimize  any  recovery  costs.    We 
recommend  the  Lottery  maintain  the  additional  early  warning 
water  detection  device  in  the  computer  room. 


Use  Protective  Coverings 
For  Computer  Tape 
Delivery 


During  the  audit  we  noted  electronic  fund  transfer  and  warrant 
writer  tapes  transported  without  a  protective  storage  container. 
Transportation  of  computer  tapes  without  protective  coverings 
exposes  tapes  to  environmental  dangers  which  could  cause  tape 
damage  or  destruction  and  loss  of  data  resulting  in  disruption  of 
Lottery  operations.    We  recommend  the  Lottery  transport  all 
computer  tapes  in  protective  coverings. 


Computer  Security 
Reviews 


Section  2-15-114,  MCA,  applies  to  all  state  agencies  and 
specifies  each  department  head  is  responsible  for  ensuring  an 
adequate  level  of  security  exists  for  all  data  within  the 
department.   This  law  also  requires  the  department  head  to 
ensure  internal  evaluations  of  the  security  program  for  data  and 
information  technology  resources  are  conducted. 


Our  previous  security  audit  recommended  the  Lottery  perform 
such  reviews.   The  Lottery  responded  by  establishing  a  data 
processing  security  group  composed  of  various  Lottery 
personnel.    Although  this  group  meets  regularly  to  discuss 
needed  changes  relative  to  data  processing,  we  believe  the 
group's  activities  should  emphasize  more  intensive  computer 
security  evaluations.   This  would  more  fully  satisfy  the  intent  of 
the  security  review  statute.    Additionally,  many  of  the  computer 
security  issues  we  identified  could  have  been  detected/addressed 
by  an  internal  security  evaluation  performed  by  the  Lottery.    We 
recommend  the  Lottery  perform  more  detailed  data  security 
reviews  as  suggested  by  section  2-15-1 14,  MCA. 


Management  Contn)ls 


During  our  audit  we  reviewed  management  controls  over 
Lottery  operations  relating  to  security.    Management  controls 
include  goals  and  objectives,  performance  evaluations, 
management  information,  training,  and  policies  and  procedures. 
We  also  reviewed  the  effectiveness  of  the  internal  audit  function 
for  the  Lottery.    This  included  reviewing  work  performed  by 
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the  internal  audit  function  and  subsequent  reporting 
responsibility. 


Performance  Evaluations 
Should  Be  Conducted 


Lottery  employees  have  not  received  performance  evaluations  in 
the  last  year.    In  addition,  several  employees  have  never  been 
given  a  performance  evaluation  even  though  they  have  been 
employed  by  the  Lottery  since  its  inception.    The  Montana 
Operations  Manual  requires  that  employees  be  evaluated  at  least 
annually.    We  recommend  the  Lottery  establish  the  completion 
of  performance  evaluations  as  management  priority. 


Management  Information 


We  found  the  Lottery  security  department  maintains  only 
limited  management  information  regarding  security  operations. 
Management  information  which  is  properly  developed  and 
distributed  can  help  management  make  better  informed 
decisions.    The  information  could  also  help  improve  the  security 
of  the  Lottery  by  indicating  trends  and  identifying  problems  in 
various  security-related  areas.    Additionally,  properly  developed 
management  information  would  stimulate  questions  and 
discussions  with  the  Lottery  director  and  the  Lottery 
Commission.    This  in  turn  could  improve  the  overall  operation 
and  security  of  the  Montana  Lottery  and  provide  information  to 
Lottery  management  to  assess  security  department  performance. 
We  recommend  the  Lottery  establish  and  implement  policies  and 
procedures  to  improve  security  department  management 
information. 


Internal  Audit  Function 


Internal  auditing  is  an  independent  appraisal  function 
established  within  an  organization  to  examine  and  evaluate  its 
activities  as  a  service  to  the  organization.   The  objective  of 
internal  auditing  is  to  assist  members  of  the  organization  in  the 
effective  discharge  of  their  responsibilities.    We  found  the  audit 
function  performed  only  limited  electronic  data  processing  and 
internal  audit  work  in  terms  of  specific,  formalized  audits.    The 
following  discusses  areas  where  improvements  are  needed. 


Reporting  Responsibility 
Should  Be  Changed 


The  internal  audit  function  should  report  to  an  individual 
manager  or  management  group  that  allows  independence  from 
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the  operations  and  staff  being  reviewed.    During  our  audit  the 
Lottery's  internal  audit  function  reported  to  the  director  of 
security  who  is  responsible  for  Lottery  security  and  also 
administers  warehouse  operations.    Since  these  areas  are 
routinely  reviewed  as  part  of  existing  internal  audit  work, 
having  the  internal  auditor  report  to  the  director  of  security 
affected  the  independence  of  the  audit  function. 

Lottery  management  has  been  working  on  an  interna!  audit  job 
charter  for  over  a  year;  however,  it  was  still  in  draft  stage 
during  our  audit.    Such  a  document  would  generally  explain  the 
authority  and  responsibilities  of  the  internal  audit  function  to  all 
Lottery  personnel.    Additionally,  the  Lottery  had  failed  to 
establish  policies  which  authorize  the  internal  audit  function  to 
review  all  Lottery  operations. 

We  recommend  the  Lottery  revise  its  organizational  structure  so 
the  internal  audit  function  reports  to  the  Lottery  director, 
finalize  the  internal  audit  charter,  and  establish  policies 
specifying  the  role  of  the  internal  audit  function. 


Documentation  of  Audit 
Work  Inadequate 


The  internal  auditor  did  not  develop  audit  plans  prior  to 
performing  audit  work.    Audit  plans  generally  summarize  work 
to  be  done  for  presentation  to  management  so  informed 
decisions  can  be  made  on  audit  work  and  scope.    Additionally, 
the  internal  auditor  did  not  adequately  document  interviews, 
observations,  audit  tests,  and  conclusions.    Without  adequate 
documentation.  Lottery  management  cannot  place  reliance  on 
work  performed  by  the  internal  audit  function. 


We  recommend  the  Lottery  require  adequate  documentation  of 
internal  audit  work. 


Training  Should  Be 
Provided 


One  of  the  key  components  in  the  management  of  personnel  is 
the  provision  of  training  which  will  improve  or  enhance 
employees'  abilities  to  perform  their  tasks.    We  reviewed  the 
training  provided  to  security,  data  processing,  and  internal  audit 
personnel.    Overall,  we  found  the  Lottery  has  provided  only 
minimal  training  to  staff  in  these  positions.    We  believe 
employee  training  offers  management  the  opportunity  to  expand 
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employee  skills  and  at  the  same  time  improve  an  organization's 
operational  capabilities. 

We  recommend  the  Lottery  develop  and  implement  appropriate 
training  programs  for  security-related  personnel. 


Policies  and  Procedures 
Are  Incomplete 


Throughout  the  audit  we  identified  areas  where  the  Lottery  has 
not  developed  and/or  formalized  security  policies  and 
procedures.   These  areas  include  on-line  ticket  validations, 
retailer/contracted  employee  investigations,  and  a  card  access 
system  backup  plan.    Lack  of  policies  and  procedures  in  these 
areas  can  cause  inconsistencies  in  Lottery  operations  and  could 
compromise  Lottery  security. 


We  recommend  the  Lottery  establish  formal  policies  and 
procedures  for  on-line  ticket  validations,  background 
investigations  for  retailers  and  contracted  employees,  and  a 
backup  plan  for  the  card  access  system. 
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Introduction 


Section  23-5-1029,  MCA,  requires  the  Legislative  Auditor  to 
perform  a  comprehensive  security  audit  every  two  years  on  all 
aspects  of  Montana  Lottery  operations.   This  is  the  second 
security  audit  completed  since  the  inception  of  the  Lottery  in 
1987.    The  first  audit  was  completed  in  1989. 


Audit  Objectives 


The  objectives  of  the  audit  were  to  determine: 


--     Status  of  recommendations  made  in  our  previous  security 
audit. 

--     Adequacy  of  security  over  all  aspects  of  Lottery  operations. 

--     Adequacy  of  management  controls  over  Lottery  operations 
relating  to  security. 

--     Adequacy  of  security  of  on-line  game  terminals  and  draw- 
ing procedures  performed  in  Montana. 

■-     Adequacy  of  security  over  the  Lottery's  Stratus  computer 
system  and  Instant  Lottery  System  software. 

--     Compliance  with  state  laws  and  administrative  rules  related 
to  security. 


Statement  of  Privileged 
and  Confidential  Infor- 
mation 


Section  23-5-1030,  MCA,  provides  "specific  audit  findings 
relating  to  security  invasion  techniques  are  confidential  and  may 
be  reported  only  to  the  Legislative  Audit  Committee,  the 
director  of  the  Lottery,  the  Commission,  the  Attorney  General, 
and  the  Governor."   During  our  audit  work  we  identified 
problem  areas  relating  to  computer  security  controls.    We  have 
prepared  a  separate  report  which  addresses  these  issues. 


Scope  of  Audit 


Audit  work  performed  focused  on  all  aspects  of  security  over 
Lottery  operations  and  related  management  controls.    During 
our  audit  we  reviewed  security  over  the  Lottery  building,  lottery 
games,  and  the  Lottery  computer  system. 
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In  1989  the  Lottery  entered  into  an  agreement  with  Control  Data 
Corporation  (CDC)  whose  corporate  headquarters  are  located  in 
Minneapolis,  Minnesota.    CDC  provides  computer  services  and 
ticket  stock  for  Montana's  on-line  games.    We  observed  their 
role  in  the  multi-state  Lotto*America  drawings  and  reviewed 
the  computer  system  used  for  the  on-line  games.    We  also 
examined  security  over  the  Lotto*America  drawings  held  in  Des 
Moines,  Iowa. 

In  March  1990  the  Lottery  contracted  with  Dittler  Brothers,  Inc. 
in  Atlanta,  Georgia  to  be  the  new  instant  ticket  vendor.    As  part 
of  the  audit,  we  reviewed  the  instant  ticket  production  process 
and  the  computer  system  associated  with  the  production  of 
instant  tickets  by  Dittler  Brothers,  Inc. 

We  visited  Lottery  marketing  representatives  and  retailers  to 
evaluate  security  measures  used  when  delivering  and  storing 
Lottery  tickets.    We  also  reviewed  methods  used  by  both  the 
Lottery  and  retailers  to  pay  prizes  to  Lottery  winners  for  instant 
and  on-line  games. 

We  examined  management  controls  relating  to  security.   This 
included  a  review  of  such  things  as  Lottery  goals  and  objectives, 
policies  and  procedures,  training,  and  performance  appraisals. 

Additionally,  we  contacted  Lottery  security  departments  in  other 
states  to  determine  how  their  security  programs  operate  and  to 
compare  them  with  the  Montana  Lottery's  security  operation. 

This  audit  was  conducted  in  accordance  with  governmental 
auditing  standards  for  performance  audits. 


Prior  Audit  Recom- 
mendations 


The  audit  reports  on  Lottery  security  issued  in  January  1989  had 
29  recommendations  suggesting  ways  Lottery  management  could 
improve  security  over  various  aspects  of  it's  operations.   The 
recommendations  were  in  the  areas  of  computer  security, 
building  security,  and  management  controls.    Lottery  officials 
concurred  with  all  the  recommendations  and  established  time 
frames  to  implement  the  recommendations. 
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During  this  review  we  found  Lottery  management  had  imple- 
mented 14  of  the  prior  audit  recommendations,  15  others  were 
either  not  implemented  or  only  partially  implemented.   These 
areas  are  identified  and  discussed  in  Chapters  III  and  IV  and  the 
confidential  addendum  to  this  report. 


Adequate  Security  Areas 


Lottery  management  has  made  a  good  effort  to  establish  and 
maintain  the  security  of  Lottery  operations.    Areas  in  which  we 
found  security  to  be  sufficient  include: 

--     The  Lottery  building. 

—  Instant  games,  including  delivery  of  tickets  to  Lottery 
headquarters  and  retailers,  inventory  procedures,  and 
storage  procedures. 

Special  drawings  and  promotions. 
--     On-line  game  terminals  and  ticket  inventories. 

Destruction  of  unsold  instant  tickets. 
--     Validation  of  winning  tickets  for  instant  and  on-line  games. 

Background  investigations  for  retailers. 


Compliance 


As  part  of  our  audit  we  reviewed  compliance  with  state  laws, 
administrative  rules,  and  policies  relating  to  Lottery  security 
operations.    We  generally  found  the  Lottery  to  be  in  compliance 
with  applicable  requirements;  however,  some  instances  of  non- 
compliance were  found.    The  areas  of  noncompliance  concerned 
Lottery  contracts  with  security-related  vendors,  fingerprinting 
of  staff,  training  of  data  processing  staff,  and  internal 
evaluation  of  security  over  the  Lottery's  computer  system. 
These  issues  are  discussed  later  in  the  report. 
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Management  Memo- 
randums 


Future  Performance 
Audit  Issues 


During  the  course  of  the  audit,  we  sent  management  memo- 
randums to  Lottery  officials  addressing  the  following  areas: 

--     Development  of  a  contract  between  the  Lottery  and  the  on- 
line vendor  as  required  by  state  law. 

—  Establishment  of  procedures  to  assure  all  future  vendor 
contracts  contain  provisions  for  Legislative  Auditor  access 
to  vendor  records. 

--     Access  to  the  Lottery  computer  room. 

--     Updating  position  descriptions  for  Lottery  employees. 

--     Mail  handling  procedures. 

Pre-printing  of  on-line  game  tickets  by  retailers. 

Establishment  of  an  automated  system  to  review  eligibility 
of  on-line  game  winners. 

During  the  course  of  our  audit,  we  noted  non-security  related 
areas  which  indicate  future  performance  audit  work  at  the 
Lottery  may  be  beneficial.    Examples  of  these  areas  include: 

Fiscal  year  1990-91  Lottery  revenues  are  approximately  the 
same  as  in  fiscal  year  1987-88.  However,  net  revenues  have 
declined  in  the  same  time  period. 

—  The  Lottery  maintains  limited  management  information  for 
all  its  Lottery  games.    The  Lottery  does  not  separate  expen- 
diture information  for  instant  and  on-line  Lottery  games 
which  could  help  show  the  profitability  of  each  game. 

--     A  significant  percentage  of  instant  tickets  are  destroyed 
after  games  are  completed.    The  Lottery  does  not  conduct  a 
formal  cost/benefit  analysis  of  instant  ticket  purchases  and 
destructions  to  determine  if  instant  ticket  purchases  should 
be  reduced. 

--     The  Marketing  and  Operations  departments  have  yet  to 
formalize  operational  policies  and  procedures. 
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Introduction 


In  November  1986,  the  people  of  Montana  passed  Legislative 
Referendum  100  establishing  a  state  lottery.    Lottery  ticket  sales 
began  on  June  24,  1987  with  an  instant  win  scratch  game  being 
the  first  Lottery  game  offered  to  the  public.    The  Lottery  has 
since  increased  the  number  of  Lottery  games  by  adding  two  on- 
line lotto  games:  Lotto*America  and  Montana  Cash.    Ticket  sales 
for  Lotto*America  began  in  November  1989  and  Montana  Cash 
began  in  May  1991. 

This  chapter  provides  an  overview  of  Montana  Lottery  opera- 
tions. It  describes  Lottery  goals  and  objectives,  organization, 
funding,  computer  operations,  and  instant  and  on-line  games. 


Lottery  Goals 


Lottery  management  has  established  several  goals  for  the 
operation  of  the  Lottery.    Some  of  the  Lottery's  major  goals 
include: 

Increase  the  number  of  winners  in  instant  games. 

Emphasize  the  public's  awareness  of  Lottery  winners. 

Annual  game  identification  for  long-range  planning  and 
marketability. 

--     Add  lottery  games  if  in  the  best  interest  of  the  Lottery. 

Increase  profitability  of  the  Lottery. 

Develop  Lottery  staff  potential  through  training. 


Lottery  Organization 


The  Montana  Lottery  is  attached  to  the  Department  of 
Commerce  for  administrative  purposes  only.    Lottery  operations 
are  administered  by  the  Lottery  Commission  and  a  Lottery 
director.   The  following  chart  displays  the  organizational 
structure  of  the  Lottery. 
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Figure  1 
Montana  Lottery  Organization 
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Source:  Coopiled  by  the  Office  of  the  Legislative  Aixlitor  from  Lottery  records. 


Lottery  Commission 


The  Lottery  Commission  consists  of  five  members  appointed  by 
the  Governor.   Section  23-5-1006,  MCA,  requires  three  of  the 
five  members  to  come  from  specific  professions.    One  commis- 
sioner must  have  a  minimum  of  five  years  law  enforcement 
experience,  one  commissioner  must  be  an  attorney  licensed  in 
Montana,  and  one  commissioner  a  certified  public  accountant 
licensed  in  Montana.   The  remaining  two  board  members  are 
public  members. 


The  Commission  meets  with  the  Lottery  director  at  least  once 
every  three  months  to  set  policy,  determine  the  types  of  games 
to  be  offered,  and  review  Lottery  activities  and  operations. 
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Legislative  Liaison 
Committee 


In  January  1987  a  Legislative  Liaison  Committee  was  esta- 
blished to  report  on  the  operations  of  the  Lottery.    According  to 
section  23-5-1008,  MCA,  "The  liaison  committee  consists  of 
four  legislators.    Two  members  must  be  from  the  senate  and  two 
members  must  be  from  the  house  of  representatives.    The 
speaker  of  the  house  and  the  senate  committee  on  committees 
shall  appoint  the  members  of  the  liaison  committee,  and  no  more 
than  two  members  may  be  of  the  same  political  party.    No 
legislator  who  has  any  ownership  in  any  gambling  device  or 
establishment  may  be  appointed  to  the  liaison  committee.    The 
liaison  committee  is  to  meet  once  each  fiscal  year  with  the 
commission  in  Helena  and  report  to  the  Legislature  on  the 
activities  and  operations  of  the  state  lottery." 


Lottery  Stafl/ 
Department  Responsi 
bilities 


The  Montana  Lottery  is  authorized  a  total  of  36  FTE.    The 
Lottery  has  an  administrative  function  which  includes  the 
Lottery  director  who  is  appointed  by  the  Governor  and  four 
other  FTE,  including  a  recently-vacated  internal/EDP  audit 
position.    The  remaining  31  FTE  are  located  in  one  of  the  three 
main  departments  of  the  Lottery:    Operations,  Marketing,  and 
Security.    The  following  is  a  brief  description  of  each  depart- 
ment within  the  Lottery. 


Operations  Department 


The  operations  department  is  authorized  nine  FTE,  including  a 
director  of  operations  who  administers  the  department.   Other 
FTE  include:  an  EDP  manager  and  three  EDP  staff,  an  account- 
ing and  fiscal  manager,  a  game  accountant,  an  accounting 
technician,  and  a  validation  technician. 


The  operations  department  is  responsible  for  accounting  and 
fiscal  management  of  the  Lottery,  including  such  things  as 
establishing  Lottery  budgets  and  monitoring  ticket  sales.    Other 
responsibilities  include  validating  winning  tickets  and  admini- 
stering data  processing  operations. 
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Marketing  Department 


The  marketing  department  is  authorized  17  FTE,  including  a 
director  of  marketing  who  administers  the  department.    Other 
FTE  include  a  product  manager,  sales  manager,  two  telephone 
sales  personnel,  a  marketing  researcher,  nine  marketing  repre- 
sentatives, and  two  administrative  support  positions.    In  order  to 
deliver  tickets  to  retailers  in  different  parts  of  the  state,  the 
marketing  representatives  are  located  in  Billings,  Bozeman, 
Butte,  Great  Falls,  Glasgow,  Helena,  Kalispell,  Miles  City,  and 
Missoula.    The  marketing  representatives  are  also  responsible  for 
promoting  the  Lottery's  instant  and  on-line  games.   This  is  done 
by  distributing  point-of-sale  materials  to  the  retailers,  negotiat- 
ing space  with  retailers  for  product  displays,  and  attending 
special  promotions  for  the  Lottery  in  their  regions. 


The  marketing  department  is  responsible  for  designing  and 
managing  Lottery  games,  researching  and  analyzing  Lottery 
sales,  distributing  instant  game  tickets  to  retailers,  and  promot- 
ing the  Lottery. 


Security  Department 


The  security  department  is  authorized  a  total  of  five  FTE  which 
includes  a  director  of  security  who  is  responsible  for  overseeing 
the  operations  of  the  department,  including  the  Lottery  ware- 
house.   Other  FTE  include  an  investigator,  a  licensing  clerk,  and 
two  warehouse  personnel. 


The  department  is  responsible  for  monitoring  all  aspects  of 
security  over  Lottery  operations.    This  includes  performing 
background  checks  of  all  employees  and  ticket  retailers,  issuing 
licenses  to  retailers,  and  directing  investigations  of  alleged 
Lottery  fraud.    The  department  also  monitors  special  drawings 
and  promotions,  establishes  security  policies  and  procedures  for 
new  games  designed  by  the  Lottery,  and  ensures  the  security  of 
the  Lottery's  computer  system.   The  overall  goal  of  the  security 
department  is  to  maintain  security,  honesty,  fairness,  and 
integrity  over  Lottery  operations. 
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Lottery  Funding 


Lottery  operations  are  funded  through  the  sale  of  instant  and 
on-line  game  tickets.    Section  23-5-1027,  MCA,  specifies  how 
each  dollar  spent  on  Lottery  tickets  is  to  be  distributed.   This 
statute  requires  a  portion  of  the  money  collected  from  ticket 
sales  to  be  used  for  the  payment  of  prizes,  retailer  commissions, 
and  operating  expenses.    Funds  not  used  for  these  purposes  are 
considered  net  revenue  and  through  June  30,  1991  were  distri- 
buted on  a  quarterly  basis  to  the  Office  of  Public  Instruction  as 
state  equalization  aid  to  public  schools. 


The  statutorily-determined  percentage  to  be  distributed  has 
changed  since  the  inception  of  the  Lottery.    The  percentages 
were  changed  by  the  Legislature  to  give  the  Lottery  more  opera- 
tional flexibility.    Table  1  illustrates  the  statutory  changes  made 
regarding  the  distribution  of  revenue  from  the  Lottery's 
inception  in  fiscal  year  1987-88  through  fiscal  year  1990-91. 


Table  1 

Distribution  of  Revenue  Re<ju 

reroents 

Fiscal 

Years  1987-88  through 

FY  1987-88 

1990-91 

through 

Effective 

Area  for  Distribution      FY  1989-90 

FY  1990-91 

Prize  Money 

457. 

Minimum  45% 

Retailer  Commissions 

5% 

No  more  than  10% 

Operating  Expenses 

15% 

Not  specified 

Office  of  Public 

Instruction 

Revenue  not 

Revenue  not  used 

used  for  prizes, 

for  prizes,  com- 

conmissions, and 

missions,  and 

operating  expenses 

operating  expenses 

Source:     Ccopi  led 

by  the  Office  of  the  Legislative  Auditor  frca 

section  23-5-1027,  MCA. 

Starting  July  1,  1991,  a  specified  percentage  of  the  net  revenue 
will  be  transferred  to  the  Board  of  Crime  Control  to  fund  state 
grants  to  counties  for  youth  detention  services.    For  fiscal  year 
1991-92  the  percentage  will  be  1.6  percent.   Starting  July  1, 
1992,  the  percentage  will  increase  to  9.1  percent  but  the  dollar 
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amount  is  not  to  exceed  one  million  dollars  in  any  future  fiscal 
year. 


Sales  and  Distribution 
of  Revenues 


During  its  first  four  years  of  operation,  the  Lottery  had  sales  of 
$82.6  million  and  transferred  $19.6  million  to  the  Office  of 
Public  Instruction  (OPI).    Lottery  sales  and  distributions  of 
revenues  for  fiscal  years  1987-88  through  1990-91  are  displayed 
in  the  following  table: 


Table  2 

Montana  Lottery  Revenue  and  Distributions  (Unaudited) 

Fiscal 

Years  1987-88  through 

1990-91 

(mi  1 1  ion) 

FY  87-88 

FY  88-89  FY  89-90 

FY  90-91 

TOTAL 

Revenues 

Sales 

$25.6 

$11.6 

$21.5 

$23.9 

$82.6 

Distributions 

Prizes 

$11.5 

$  5.3 

$10.2 

$11.7 

$38.7 

Commissions 

1.4 

.7 

1.4 

1.3 

4.8 

Operations 

4.3 

2.8 

5.7 

6.7 

19.5 

OPI  Transfers 

8.4 

2.8 

4.2 

4.2 

19.6 

Source:    Coopi 

led  by  the 

Office  of  the  Legis 

lative  Auditor  fron   | 

Lottery  records. 

Instant  Games 


Introduction 


The  Lottery  offers  the  public  a  choice  of  instant  games  by 
offering  two  games  simultaneously.    This  allows  the  Lottery  to 
offer  one  instant  game  with  more  high-tier  winners  and  one 
with  more  low-tier  winners.    Instant  games  were  the  first  games 
offered  by  the  Lottery.    Instant  games  allow  players  to  deter- 
mine if  they  are  winners  by  rubbing  a  latex  coating  off  a  ticket. 
If  three  identical  play  symbols  appear  on  the  ticket  the  player 
wins  instantly.    If  a  winning  ticket  is  $50  or  less,  it  can  be 
redeemed  by  the  retailer  from  which  the  ticket  was  purchased. 


Page  10 


Chapter  II 
Background 

If  the  ticket  prize  is  more  than  $50,  it  must  be  redeemed  by  the 
Lottery.    This  can  be  done  by  a  player  either  bringing  the  ticket 
to  the  Lottery  or  mailing  the  ticket  to  the  Lottery.    Figure  2 
indicates  sales  figures  for  instant  games  one  through  twenty- 
six. 


Figure  2 

Nontana  Lottery  Instant  Gaines 

Tickets  Sold  Gaines  1-26 

Fiscal  Years  1987-88  through  1990-91 


Source:  Ccnpiled  by  the  Office  of  the  Legislative 
Auditor  from  Lottery  records. 


The  following  sections  discuss  the  Lottery's  instant  game  cycle 
including:  game  design  and  prize  structure,  ticket  delivery  and 
inventory,  ticket  distribution,  ticket  sales,  and  procedures 
followed  by  Lottery  personnel  at  the  end  of  an  instant  game. 


Game  Design/Prize  Struc- 
ture 


Instant  games  are  designed  by  various  Lottery  staff  who  meet 
periodically  to  discuss  game  strategies,  prize  structures  and 
ticket  specifications.    Once  this  information  is  determined, 
working  papers  are  developed  which  detail  the  specifications  for 
the  game,  such  as  the  Guaranteed-Low-End-Prize-Structure 
(GLEPS)  and  physical  appearance  of  the  tickets.    After  the 
working  papers  are  compiled,  they  are  sent  to  Dittler  Brothers, 
Inc.    which  reviews  the  working  papers  and  returns  them  to  the 
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Lottery  with  suggested  changes  and/or  questions.    Several  draft 
versions  of  working  papers  are  developed  and  reviewed  by  both 
the  Lottery  and  Dittler  Brothers,  Inc.  before  a  final  game  design 
and  prize  structure  is  selected.    Upon  approval  of  the  final 
working  papers  by  Lottery  personnel,  they  are  returned  to 
Dittler  Brothers,  Inc.  so  they  can  begin  printing  tickets. 


Ticket  Delivery/Inventory 


All  instant  tickets  are  printed  by  Dittler  Brothers,  Inc.  in 
Atlanta,  Georgia  and  shipped  directly  to  Lottery  headquarters 
via  tractor/trailer.    When  the  trailer  arrives  at  Lottery  head- 
quarters, a  member  of  the  security  department  inspects  the 
trailer  for  signs  of  tampering.   This  entails  comparing  the  seal 
and  lock  numbers  on  the  trailer  to  those  listed  on  the  bill-of- 
lading  and  conducting  a  visual  inspection  of  the  trailer.   Once 
the  security  representative  is  satisfied  the  trailer  has  not  been 
tampered  with,  the  trailer  seal  is  cut  and  the  trailer  opened.    The 
contents  are  then  inspected  by  security  or  warehouse  personnel 
for  any  damage  or  signs  of  tampering  to  the  pallets  of  tickets 
which  are  shrink-wrapped  in  plastic.    The  trailer  is  then  un- 
loaded and  the  tickets  moved  inside  the  Lottery  warehouse. 
Once  the  tickets  are  in  the  warehouse,  a  100  percent  inventory  is 
conducted.    Using  computer-generated  information  supplied  by 
Dittler,  a  visual  inspection  of  each  pack  of  tickets  is  performed. 
The  packs  are  examined  to  ensure:  all  tickets  are  present,  the 
latex  covering  on  the  first  page  of  tickets  is  free  from  scratches, 
play  symbols  are  covered  by  latex,  the  general  appearance  of 
tickets  is  good,  and  the  shrink  wrap  on  individual  packs  is  free 
of  tears.    Any  defective  packs  are  recorded  and  pulled  from 
inventory.    As  part  of  the  inventory  process,  the  Lottery's 
internal  auditor  conducts  a  GLEPS  test  on  the  tickets.    The  main 
purpose  of  the  GLEPS  test  is  to  assure  ticket  shipments  meet  the 
prize  structure  approved  by  the  Lottery.    After  the  inventory  is 
complete  the  tickets  are  separated  into  marketing  representative 
regions  in  the  warehouse.    Once  the  tickets  are  separated,  they 
are  ready  for  delivery  to  the  marketing  representatives. 
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Ticket  Distribution 


At  the  start  of  a  new  instant  game  the  tickets  are  either  picked 
up  by  the  marketing  representatives  or  delivered  to  the  market- 
ing representatives  by  Lottery  staff.   The  marketing  representa- 
tives store  tickets  in  established  storage  areas  which  have  been 
reviewed  and  approved  by  Lottery  security  personnel.    The 
marketing  representatives  then  deliver  tickets  to  the  retailers  for 
sale  to  the  public.    Periodically,  the  Lottery  uses  United  Parcel 
Service  to  deliver  tickets  directly  to  a  retailer.    This  is  usually 
only  done  when  marketing  representatives  are  sick  or  on  vaca- 
tion and  a  retailer  needs  tickets  delivered  as  soon  as  possible. 

During  the  course  of  the  audit  we  observed  ticket  delivery  and 
inventory  procedures  and  found  the  procedures  followed  by  the 
Lottery  to  be  adequate.    We  also  evaluated  the  procedures 
followed  by  the  marketing  representatives  when  picking  up 
tickets  from  the  Lottery  and  inspected  a  sample  of  ticket  storage 
areas  maintained  by  marketing  representatives.    We  found  the 
storage  areas  and  procedures  followed  by  the  marketing  repre- 
sentatives when  picking  up  tickets  from  the  Lottery  to  be 
adequate. 


End-of-Game  Procedures 


An  instant  game  is  on  sale  for  approximately  twelve  weeks  with 
a  new  game  being  offered  every  si.x  weeks.    At  the  conclusion  of 
each  game,  unsold  tickets  are  returned  by  the  retailers  to  the 
marketing  representatives.    The  marketing  representatives  are 
then  responsible  for  returning  these  tickets  to  Lottery  head- 
quarters.   Upon  receipt  of  unsold  tickets  from  all  regions,  a  100 
percent  inventory  is  performed  by  warehouse  personnel.    When 
the  inventory  is  complete  an  audit  of  the  tickets  is  conducted  by 
the  Lottery's  internal  auditor. 


During  our  audit  work,  we  observed  the  marketing  representa- 
tives return  unsold  tickets  to  Lottery  headquarters  and  also 
observed  Lottery  personnel  take  inventory  of  these  tickets.    We 
found  the  procedures  followed  in  these  instances  ensured  that  all 
unsold  tickets  are  returned  to  the  Lottery. 
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Ticket  Disposal 


Upon  completion  of  the  ticket  inventory,  the  remaining  tickets 
are  stored  for  the  six  months  a  winning  ticket  could  be  sub- 
mitted for  prize  payment.    After  the  six-month  waiting  period 
the  unsold  tickets  are  disposed  of  via  incineration.    We  observed 
the  incineration  process  and  found  it  to  be  effective  in 
destroying  the  unsold  tickets. 


On-Line  Games 


Introduction 


Currently,  two  on-line  games  are  being  operated  by  the  Lottery: 
Lotto*America  and  Montana  Cash.   On-line  lottery  games  are 
controlled  by  a  central  computer  system  which  is  attached  to 
sales  terminals  at  retailers'  locations.    A  communications  net- 
work is  utilized  to  transfer  information  on  ticket  sales  from  the 
terminals  to  the  central  computer. 


Lotto*  America 


Section  23-5-1007,  MCA,  allows  the  Lottery  Commission  to 
enter  into  agreements  with  other  states  to  offer  lottery  games. 
The  Lottery  has  joined  14  other  states  plus  the  District  of 
Columbia  in  an  on-line  multi-state  lottery  game  known  as 
Lotto*America.    Lotto*America  offers  smaller  states  the  oppor- 
tunity of  providing  lottery  players  the  chance  to  win  larger 
prizes  than  typically  possible  through  a  state  lotto  game.    By 
joining  Lotto*America,  Montana  became  a  member  of  the 
Multi-State  Lottery  Association  (MUSL)  which  operates 
Lotto*America.    Montana  has  to  assure  MUSL  of  compliance 
with  MUSL  rules  and  Lotto*America  game  procedures.    MUSL 
headquarters  are  located  in  Des  Moines,  Iowa  and  the 
Lotto*America  drawings  are  held  at  a  television  studio  in  Des 
Moines  every  Wednesday  and  Saturday  night. 


Lotto*America  is  a  six  of  54  number  lotto  game  which  offers  a 
minimum  two  million  dollar  jackpot  which  increases  after  each 
drawing  in  which  the  jackpot  is  not  won.    The  jackpot  amount 
increase  is  based  on  the  total  number  of  tickets  sold  for  each 
drawing.    Players  purchase  a  ticket  from  a  retailer  for  one  dollar 
and  select  two  sets  of  six  different  numbers  between  one  and  54. 
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A  player  can  have  the  Lotto*America  terminal  choose  the  two 
sets  of  six  numbers  (quick-play)  or  can  choose  themselves  by 
marking  the  numbers  on  a  play  slip.    If  a  player  chooses  to  use  a 
quick-play,  the  retailer  pushes  a  quick-play  button  on  the 
Lotto*America  terminal  and  a  ticket  is  produced  with  two  sets 
of  six  numbers.    If  a  player  completes  a  play  slip,  the  retailer 
inserts  the  play  slip  into  the  terminal.    The  terminal  reads  the 
numbers  marked  on  the  play  slip  and  prints  a  ticket  with  those 
numbers.    Retailers  also  have  the  option  of  manually  entering 
the  marked  numbers  into  the  terminal. 

A  Lotto*America  jackpot  is  won  if  a  player  matches  the  six 
numbers  drawn  in  Des  Moines.    Smaller  prizes  may  also  be  won 
by  matching  five  of  six  numbers  or  four  of  six.    The  amounts  of 
these  prizes  are  based  upon  total  ticket  sales  for  each  drawing. 
The  following  figure  indicates  Montana  sales  for  Lotto*America 
from  November  1989  through  August  1991. 
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Figure  3 

Montana  Lotto'America  Ticket  Sales 
Noventer  1989  through  August  1991 


Source:  Compiled  by  the  Office  of  the  Legislative  Auditor  from  Lottery  records. 


Control  Data  Corporation  (CDC)  is  responsible  for  operation  and 
maintenance  of  the  on-line  terminals.   CDC  provides  and  installs 
terminals  in  locations  selected  by  the  Lottery  and  then  supplies 
the  retailer  with  ticket  stock  and  technical  assistance  with 
terminal  operations.    CDC  also  performs  any  necessary  main- 
tenance relative  to  the  terminals. 

Montana's  Lotto*America  operations  are  monitored  by  a  central 
computer  located  in  Olympia,  Washington  which  is  administered 
by  CDC.    CDC's  computer  system  monitors,  stores,  and  compiles 
ticket  sales  information,  such  as  the  date  and  time  tickets  were 
purchased  and  the  numbers  selected.    The  integrity  of  CDC's 
computer  system  is  verified  by  the  Lottery's  Internal  Control 
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System  (ICS)  which  is  part  of  the  Lottery's  Stratus  computer 
system.    The  ICS  gives  the  Lottery  the  capability  to  verify  the 
accuracy  of  CDC's  ticket  sales  information  for  on-line  games. 
The  Lotto*America  drawings  in  Des  Moines,  Iowa  are  also 
monitored  in  order  to  maintain  the  security  and  integrity  of  the 
drawings.    For  example,  off-duty  police  officers  and  indepen- 
dent auditors  are  contracted  by  MUSL  and  MUSL  members  to 
oversee  each  drawing.    Additionally,  independent  audit  firms 
contracted  by  MUSL  observe  drawing  procedures  performed  by 
each  MUSL  member  including  Montana  Lottery  staff  at  Lottery 
headquarters. 


Montana  Cash 


Montana  Cash  is  the  newest  state-wide  lotto  game  starting  in 
May  1991.    The  drawing  for  Montana  Cash  is  held  each  Satur- 
day evening. 


Montana  Cash  is  a  five  of  thirty-seven  number  lotto  game 
which  offers  players  the  chance  to  win  a  jackpot  (minimum 
$20,000)  which  is  smaller  than  the  Lotto*America  jackpot,  but 
larger  than  a  top  prize  typically  offered  via  an  instant  game. 
The  jackpot  increases  each  time  it  is  not  won  based  on  total 
retail  ticket  sales  for  each  drawing. 

Players  may  purchase  a  one  dollar  Montana  Cash  ticket  from  a 
participating  retailer.    As  with  Lotto*America,  players  can  have 
their  two  sets  of  numbers  chosen  by  the  terminal  via  a  quick- 
play  or  choose  the  numbers  by  marking  a  play  slip.    The  jackpot 
is  won  by  matching  the  five  numbers  on  a  player's  ticket  to 
those  numbers  drawn.    In  addition,  $200  is  won  if  four  of  five 
numbers  are  matched  or  $5  if  three  of  five  are  matched.    These 
smaller  amounts  remain  constant  for  each  drawing. 

As  with  Lotto*America,  CDC  administers  the  computer  opera- 
tions for  Montana  Cash  since  tickets  are  purchased  using  the 
same  terminals  as  Lotto*America.    The  Montana  Cash  drawing  is 
monitored  by  an  independent  audit  firm  who  assures  the  integ- 
rity of  the  drawing  and  compliance  with  established  drawing 
procedures. 
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Retailers 


There  are  approximately  800  retailers  licensed  to  sell  instant 
lottery  tickets  in  Montana.    Approximately  300  of  these  retailers 
are  also  authorized  to  sell  on-line  lotto  tickets.    Before  retailers 
are  considered  for  a  license  to  sell  lottery  tickets,  they  are  statu- 
torily subject  to  a  background  investigation  by  the  Lottery's 
security  department.   The  cost  of  a  retailer  license  is  $50  which 
is  used  to  cover  the  expense  of  investigating  and  processing  the 
application. 


Retailers  have  specific  responsibilities  for  both  instant  and  on- 
line games.   Some  of  the  retailer  responsibilities  for  instant 
games  include:  redeeming  low-tier  ($50  and  under)  instant 
tickets,  providing  security  for  their  instant  ticket  stock,  paying 
the  Lottery  for  the  tickets  when  they  are  received,  and  returning 
unsold  tickets  at  game  end.    Responsibilities  for  on-line  games 
include:  paying  low-tier  (under  $600)  tickets,  correct  use  and 
operation  of  the  on-line  terminal,  and  notifying  CDC  of  any 
problems  with  the  terminals.    In  order  to  spell  out  what  is 
expected  of  retailers,  the  Lottery  has  supplied  policy  and  proce- 
dure manuals  for  both  instant  and  on-line  games.    Retailers  can 
refer  to  the  manuals  for  any  questions  they  may  have  regarding 
either  game.    If  retailers  cannot  find  an  answer  in  the  manual, 
toll-free  telephone  numbers  are  provided  for  the  Lottery  and 
CDC. 
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Introduction 


This  chapter  examines  the  Lottery's  security  department's 
procedures  for  background  investigation  of  Lottery  personnel 
and  security  controls  over  the  Lottery's  computer  system.    We 
noted  several  weaknesses  relative  to  the  Lottery's  procedures  for 
investigating  Lottery  personnel  prior  to  their  employment  with 
the  Lottery.    In  addition,  during  our  evaluation  of  data  process- 
ing controls  we  determined  improvements  could  be  made  in  the 
established  physical/environmental  controls.    The  following 
sections  discuss  the  identified  issues. 


Background  Investiga- 
tions of  Employees 
Could  Be  Improved 


P 


Employee  background  investigations  are  completed  by  Lottery 
security  personnel  to  determine  suitability  for  employment  by 
the  Lottery.    Background  investigations  alert  security  personnel 
of  any  criminal  history  which  could  make  the  individual 
unsuitable  for  Lottery  employment.    Security  personnel  keep  a 
record  of  background  investigations  for  each  Lottery  employee 
in  department  files. 

According  to  the  Lottery  security  policy  manual,  four  major 
sources  of  information  are  used  to  provide  security  personnel 
with  background  information  on  applicants  and  employees. 
They  include: 

—     Montana  Lottery  Questionnaire  -  Each  applicant  is  required 
to  complete  the  Montana  Lottery  Questionnaire.    The 
questionnaire  requests  information  relating  to  personal  data, 
references,  educational  background,  employment  history, 
arrest  history,  driving  history,  gambling  habits,  narcotics 
use,  military  status,  and  physical  and  mental  condition.    The 
questionnaire  also  requests  the  applicant  to  sign  an  authori- 
zation permitting  other  organizations  (state,  federal,  credit 
bureaus,  doctors,  etc.)  to  release  information  they  may  have 
regarding  the  applicant. 

--     National  Crime  Information  Center  (NCIC)  -  Inquiries  to 
NCIC  are  made  through  the  Montana  Highway  Patrol.    This 
inquiry  provides  Lottery  security  personnel  with 
background  information  regarding  outstanding  warrants 
against  the  applicant  on  a  nationwide  level. 
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--     Criminal  Justice  Information  Network  (CJIN)  -  Inquiries  to 
CJIN  are  also  obtained  through  the  Montana  Highway 
Patrol.    CJIN  provides  background  information  regarding 
outstanding  warrants  against  the  applicant  on  a  statewide 
level.    Both  NCIC  and  CJIN  inquiries  allow  security 
personnel  to  obtain  initial  background  information  on  the 
applicant  prior  to  employment  at  the  Lottery. 

--     Fingerprints  -  Fingerprints  are  obtained  and  sent  for  classi- 
fication to  the  Department  of  Justice's  Identification  Bureau 
and  the  Federal  Bureau  of  Investigation  (FBI).    Classified 
fingerprints  provide  the  major  source  of  information 
regarding  the  potential  criminal  history  of  the  employee.    In 
addition,  they  may  provide  information  not  furnished 
through  NCIC  or  CJIN  inquiries. 

During  our  audit  work  we  found  background  investigation 
procedures  followed  by  security  personnel  could  be  improved. 
The  following  sections  describe  the  noted  issues. 


Establish  An  Adequate 
Fingerprinting  System 


Section  23-5-1019,  MCA,  requires  all  employees  to  submit  a  full 
set  of  fingerprints  to  the  Lottery.    In  addition.  Lottery  security 
policies  and  procedures  indicate  fingerprints  are  to  be  classified 
by  the  Department  of  Justice's  Identification  Bureau  and  the 
FBI.    As  noted,  fingerprints  are  a  major  source  of  information 
regarding  the  potential  criminal  history  of  an  employee.    Conse- 
quently, Lottery  statute  and  policy  requires  fingerprints  to  be 
obtained  and  sent  for  classification  before  an  employee  is  hired. 
This  way,  security  personnel  receive  information  on  the  classi- 
fied fingerprints  as  soon  as  possible. 


We  judgmentally  selected  ten  employee  security  files  to  review 
for  completeness  of  background  investigations.    We  found  two 
files  did  not  contain  any  record  of  fingerprints  and  three  others 
had  fingerprint  records  which  had  not  been  submitted  to  state 
and  federal  authorities  for  classification.    Although  the  two 
employees  who  had  not  been  fingerprinted  were  hired  within 
nine  months  of  our  review,  the  three  employees  with  non- 
classified fingerprints  had  been  employed  since  1989. 
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Since  fingerprints  have  not  been  obtained  for  all  employees,  the 
Lottery  has  neither  complied  with  section  23-5-1019,  MCA,  nor 
it's  internal  security  policies  and  procedures.    In  addition, 
fingerprints  not  classified  by  the  Identification  Bureau  or  the 
FBI  provide  no  information  to  security  personnel  regarding  the 
criminal  history  of  an  employee. 


Lottery  security  staff  indicated  the  reason  some  employees  have 
not  been  fingerprinted  and/or  their  fingerprints  submitted  for 
classification  is  due  to  the  Lottery's  current  fingerprinting 
system.    Security  personnel  believe  the  current  fingerprinting 
system  is  inadequate  because  it  does  not  create  fingerprints 
which  meet  Identification  Bureau  and  FBI  requirements.    For 
example,  security  personnel  indicated  the    fingerprints  in  the 
security  files  which  were  not  submitted  for  classification  were 
smudged  and  could  not  be  classified  by  the  state  Identification 
Bureau  or  the  FBI.    Security  personnel  indicated  they  were 
waiting  to  take  or  re-take  fingerprints  until  they  established  a 
new  fingerprinting  procedure. 

As  a  result  of  our  audit  findings.  Lottery  officials  indicated  they 
intend  to  use  the  services  of  the  Identification  Bureau  for  all 
fingerprinting  needs.    Additionally,  security  personnel  have  now 
obtained  fingerprints  for  all  employees  and  stated  there  will  be 
no  delays  in  obtaining  or  classifying  fingerprints  in  the  future. 


Recommendation  #1 

We  recommend  the  Lottery  comply  with  statutory  and 
internal  security  policies  for  obtaining  and  classifying 
employee  fingerprints. 
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Document  All  Information  During  our  review  of  employee  security  files  we  noted  several 

Obtained  During  Back-  files  did  not  contain  documentation  signifying  complete  back- 

ground Investigations  ground  investigations  were  done.    We  compared  the  files  to  the 

major  sources  of  background  information  described  in  the 
security  policy  and  procedures  manual  and  outlined  on  page  19 
and  20  of  this  report.    Of  the  ten  security  files  reviewed,  we 
found  seven  files  did  not  contain  documentation  of  inquiries  to 
NCIC  and/or  CJIN  databases.    We  also  noted  one  file  was  miss- 
ing the  Montana  Lottery  Questionnaire. 

To  provide  necessary  information  on  employee  backgrounds, 
security  files  should  contain  documentation  of  all  information 
obtained  during  a  background  investigation.    Additionally, 
current  internal  security  policies  and  procedures  state  all 
investigations  should  be  reported  in  memorandum  form.    For 
example,  a  memorandum  should  be  written  and  placed  in  the 
file  each  time  the  Montana  Highway  Patrol  is  contacted  for  an 
inquiry  to  the  NCIC  and  CJIN  system.    This  is  necessary  because 
according  to  Lottery  security  personnel,  the  Highway  Patrol 
does  not  always  send  a  copy  of  the  NCIC  and  CJIN  reports  to 
the  Lottery.   Therefore,  not  all  employee  security  files  have 
documentation  relating  to  the  NCIC  and  CJIN  inquiries  even 
though  verbal  information  may  have  been  obtained. 

Security  personnel  indicated  they  usually  do  not  include  docu- 
mentation in  a  file  unless  they  obtain  adverse  information  about 
the  employee.    However,  they  also  indicated  some  information 
was  not  in  the  file  because  they  had  forgotten  to  follow-up  or 
misplaced  the  information. 

To  assist  with  employee  background  investigations.  Lottery 
officials  indicated  they  are  in  the  process  of  developing  a  back- 
ground investigation  checklist.   They  believe  this  checklist  will 
help  them  obtain  and  document  all  the  information  necessary  to 
demonstrate  a  complete  background  investigation  was  done  on 
employees.    Once  the  background  investigation  checklist  is 
developed  and  used  by  Lottery  personnel,  the  process  could  be 
incorporated  into  the  written  policies  and  procedures  for  the 
security  department. 
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Recommendation  #2 

We  recommend  the  Lottery: 

A.  Document  all  information  obtained  during  employee 
background  investigations;  and, 

B.  Complete  the  development  of  and  implement  the 
background  investigation  checklist. 


Physical  and  Environ- 
mental Computer 
Controls 


Physical  and  environmental  controls  protect  computer  hardware 
and  software  from  theft,  accidental  destruction,  power  fluctua- 
tions, heat,  water,  dirt,  and  other  exposures.    Weaknesses  in 
these  controls  unnecessarily  expose  the  Lottery  to  risk  of 
interruption  of  critical  computer  operations.    We  identified 
several  areas  where  the  Lottery  could  improve  physical  and 
environmental  controls. 


Access  to  Documentation 
Should  Be  Controlled 


We  reviewed  the  physical  security  controls  governing  access  to 
the  Lottery's  computer  system  documentation.    We  found  all 
employees  can  obtain  user,  program,  and  technical  system 
documentation  due  to  its  location.    Currently,  the  documentation 
is  kept  in  an  unlocked  filing  cabinet  in  an  area  with  only  limited 
control  of  employee  access. 


Access  to  system  documentation  should  be  controlled.    The 
potential  exists  for  unauthorized  information  to  be  obtained 
which  could  be  used  to  compromise  the  security  of  the  Stratus 
computer  system.    For  example,  users  could  review  system 
documentation  and  subsequently  exploit  the  Stratus  operating 
system  to  gain  access  to  Lottery  data  and  programs  or  to  disrupt 
computer  operations." 
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Montana  Lottery  officials  agreed  with  our  recommendation  and 
stated  they  are  reviewing  alternatives  to  better  secure  Stratus 
system  documentation. 


Recommendation  #3 

We  recommend  the  Lottery  control  access  to  program  and 
technical  documentation  for  the  Stratus  computer  system. 


Maintain  Water  Detection  During  our  observations  of  the  Lottery  computer  room  physical 

Device  in  Computer  Room  and  environmental  controls,  we  noted  there  is  no  early  warning 

water  detection  device.    However,  pressure  flow  detectors  exist 
for  the  fire  suppression  system  for  the  Lottery  building. 

The  location  of  water  pipes  relative  to  the  computer  system 
makes  Lottery  operations  vulnerable  to  disruption.  If  the  water 
pipes  were  to  break,  the  result  could  damage  the  system.  With- 
out use  of  the  Stratus  computer  the  Lottery  would  be  unable  to 
sell  tickets,  verify  winning  tickets,  perform  ticket  inventory,  or 
void  stolen  instant  tickets.  In  addition,  internal  control  process- 
ing for  on-line  games  would  not  be  possible. 

Since  there  is  limited  availability  of  Stratus  computers  or 
compatible  systems  in  Montana,  every  possible  potential  disaster 
should  be  considered  and  where  possible,  protected  against.    To 
ensure  the  timely  detection  of  a  potential  water  disaster  in  the 
computer  room,  we  recommended  the  Lottery  install  an  early 
warning  water  detection  device  inside  the  room.    Prior  to 
completion  of  the  audit,  the  Lottery  installed  water  sensors  on 
the  computer  room  floor.    Such  controls  could  help  prevent 
disasters  from  occurring  and  minimize  any  recovery  costs. 
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Recommendation  #4 

We  recommend  the  Lottery  maintain  the  additional  early 
warning  water  detection  device  in  the  computer  room. 


Use  Protective  Coverings  Throughout  the  audit,  we  observed  the  daily  storage  and 

For  Computer  Tape  delivery  of  computer  tapes  containing  sensitive  Lottery  infor- 

Delivery  mation.    We  found  electronic  fund  transfer  (EFT)  and  warrant 

writer  (WW)  tapes  are  transported  to  the  Federal  Reserve  and 
Department  of  Administration  Information  Services  Division 
without  a  protective  storage  container.    The  EFT  tapes  contain 
retailer  information  for  collecting  money  owed  to  the  Lottery 
and  WW  tapes  contain  prize  recipients  payment  information. 

Transportation  of  computer  tapes  without  protective  coverings 
expose  tapes  to  environmental  dangers  which  could  cause  tape 
damage  or  destruction  and  loss  of  data  resulting  in  disruption  of 
Lottery  operations.    Computer  tapes  should  be  safeguarded 
against  potential  environmental  conditions  (i.e.,  heat,  moisture) 
and  contaminates  (i.e.,  dust,  smoke),  especially  during  their 
transportation  between  sources.    This  is  necessary  to  ensure  the 
quality  and  reliability  of  the  magnetic  media.   Computer  tape 
cases  cost  approximately  $50  each. 

To  protect  computer  tapes,  the  Lottery  should  transport  all  tapes 
with  protective  coverings.    Montana  Lottery  officials  concurred 
with  our  recommendation. 


Recommendation  #S 

We  recommend  the  Lottery  transport  all  computer  tapes  in 
protective  coverings. 
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Computer  Security 
Reviews 


Section  2-15-1 14,  MCA,  which  applies  to  all  state  agencies 
specifies  each  department  head  is  responsible  for  ensuring  an 
adequate  level  of  security  for  all  data  within  the  department  and 
implementing  appropriate  cost-effective  safeguards  to  reduce, 
eliminate,  or  recover  from  identified  threats  to  data.    The 
statute  also  requires  the  department  head  ensure  internal  evalua- 
tions of  the  security  program  for  data  and  information  tech- 
nology resources  are  conducted. 


In  the  prior  security  audit  we  recommended  the  Lottery  perform 
security  reviews.    Lottery  officials  concurred  with  our  recom- 
mendation and  responded  by  establishing  a  data  processing 
security  group  composed  of  various  Lottery  personnel. 
Although  this  group  meets  regularly  to  discuss  needed  changes 
relative  to  data  processing,  we  believe  the  group's  activities 
should  emphasize  more  intensive  computer  security  evaluations. 
This  would  more  fully  satisfy  the  intent  of  the  security  review 
statute.    A  comprehensive  internal  security  review  would 
include  a  detailed  analysis  of  the  general  and  application 
controls  in  place  over  the  data  processing  functions.    Many  of 
the  computer  security  issues  we  identified  could  have  been 
detected/addressed  by  an  internal  security  evaluation  performed 
by  the  Lottery. 


Recommendation  #6 

We  recommend  the  Lottery  perform  more  detailed  data 
security  reviews  as  suggested  by  section  2-15-114,  MCA. 
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Introduction 


I 


During  our  audit  we  reviewed  management  controls  over 
Lottery  operations  relating  to  security.    Management  controls 
include  goals  and  objectives,  performance  evaluations,  manage- 
ment information,  training,  and  policies  and  procedures.    We 
also  reviewed  the  effectiveness  of  the  internal  audit  function  for 
the  Lottery.    This  included  reviewing  work  performed  by  the 
internal  audit  function  and  subsequent  reporting  responsibility. 
The  following  sections  discuss  concerns  we  have  with  some  of 
the  Lottery's  management  controls  and  the  internal  audit  func- 
tion. 


Performance  Evalua- 
tions Should  Be 
Conducted 


According  to  the  Montana  Operations  Manual  performance 
evaluation  policy  section  3-01  15,  "the  performance  of  each  full- 
time  and  part-time  employee  in  a  permanent  position.  .  .  who 
has  completed  a  probationary  period  shall  be  appraised  during 
established  evaluation  periods  of  not  more  than  one  year  dura- 
tion.   The  rating  of  performance  shall  take  place  no  more  than 
sixty  calendar  days  after  the  close  of  the  evaluation  period." 

During  our  audit  we  determined  Montana  Lottery  management 
had  not  conducted  performance  evaluations  of  its  employees. 
We  reviewed  the  personnel  files  of  eight  Lottery  employees 
which  included  four   security  and  four  non-security  personnel. 
Our  review  found  none  of  these  employees  had  a  formal  perfor- 
mance evaluation  completed  in  the  last  year.    Additionally, 
seven  of  these  employees  had  never  been  given  a  performance 
evaluation  even  though  they  have  been  employed  by  the  Lottery 
since  its  inception  in  1987. 

Performance  evaluations  are  a  valuable  management  tool  used  to 
help  communicate  with  employees.    Performance  evaluations  can 
improve  employee  performance  through  identification  of 
strengths  and  weaknesses,  and  specify  methods  for  improving 
skills  and  abilities.    The  focus  of  a  performance  evaluation 
should  also  be  to  improve  the  future  performance  of  an 
employee.    Lack  of  performance  evaluations  result  in  employees 
not  knowing  where  they  stand  in  relation  to  job  performance. 
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and  may  lead  to  poor  employee  morale.    In  addition,  without 
standards  of  performance  it  is  difficult  for  management  to 
monitor  and  track  employee  productivity  in  relation  to  promo- 
tions, internal  job  changes,  or  disciplinary  actions. 

During  the  security  audit  completed  in  1989  we  also  found  the 
Lottery  had  not  completed  performance  evaluations  of 
employees.    In  a  written  response  at  the  completion  of  that 
audit.  Lottery  officials  agreed  performance  evaluations  should 
be  completed  and  indicated  they  would  review  ways  to  complete 
evaluations  in  the  near  future.    Current  Lottery  officials  stated 
they  continue  to  recognize  the  importance  of  conducting 
performance  evaluations.    However,  Lottery  officials  indicated 
because  the  directorship  of  the  Lottery  has  changed  three  times 
in  four  years,  they  have  been  unable  to  implement  our 
recommendation.    Additionally,  officials  indicated  they  have 
been  in  the  process  of  developing  the  Lottery's  on-line  games 
and  this  has  limited  the  time  to  conduct  performance  evaluations 
of  employees.    As  a  result  of  our  findings  and  completed 
implementation  of  the  on-line  games.  Lottery  officials  have 
started  to  conduct  performance  evaluations  of  employees. 


Recommendation  #7 

We  recommend  the  Lottery  establish  the  completion  of 
performance  evaluations  as  a  management  priority. 


Management  Informa- 
tion 


During  our  evaluation  of  the  Lottery  security  department,  we 
found  the  department  maintains  only  limited  management 
information  regarding  security  operations.    Management  infor- 
mation which  is  properly  developed  and  distributed  can  help 
management  make  better  informed  decisions.    The  information 
could  also  help  improve  the  security  of  the  Lottery  by  indicating 
trends  and  identifying  problems  in  various  security-related 
areas. 
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We  contacted  the  security  departments  for  five  other  state 
lottery  programs.    Our  interviews  indicated  four  of  these 
lotteries  maintain  systematic  and  formalized  management  infor- 
mation within  their  security  departments.    Some  of  the  docu- 
mentation maintained  by  these  states  include  the  number  of  on- 
going and  completed  investigations,  tracking  the  total  number  of 
stolen  tickets  for  each  retailer,  training  received  and  given,  and 
ticket  deliveries.    In  addition,  in  order  to  keep  the  lottery 
directors  informed,  the  security  departments  in  these  four  states 
submit  either  weekly,  monthly,  or  annual  reports  to  the  lottery 
director  discussing  all  security  issues. 

Currently  there  are  no  policies  or  procedures  which  require  the 
security  department  to  develop  and  properly  maintain  adequate 
management  information.    In  addition,  the  Lottery  director  of 
security  generally  provides  only  verbal  reports  on  security  issues 
to  the  Lottery  director  and  the  Lottery  Commission.    We  believe 
development  and  maintenance  of  adequate  management  infor- 
mation could  improve  security  department  operations.    This 
information  will  stimulate  questions  and  discussion  with  the 
Lottery  director  and  the  Lottery  Commission.    This  in  turn 
could  improve  the  overall  operation  and  security  of  the  Montana 
Lottery  and  provide  information  to  Lottery  management  to 
assess  security  department  performance. 

Lottery  officials  believe  because  the  Lottery  is  a  small  operation 
it  is  not  necessary  to  change  the  current  system  for  management 
information.    The  current  system  is  limited  to  recording  infor- 
mation in  an  incident  log.    However,  the  log  is  not  formatted  in 
a  way  which  allows  easy  determination  of  the  number  and  type 
of  security  issues  arising  at  the  Lottery.    Security  personnel 
believe  they  can  identify  any  problem  areas  within  the  Lottery 
relating  to  security  without  additional  management  information. 
However,  Lottery  officials  indicated  they  will  try  to  establish 
and  implement  policies  and  procedures  wherever  possible  to 
improve  the  development  and  maintenance  of  management 
information. 
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Recommendation  #8 

We  recommend  the  Lottery  establish  and  implement 
policies  and  procedures  to  improve  security  department 
management  information. 


Internal  Audit  Function 


Internal  auditing  is  an  independent  appraisal  function  esta- 
blished within  an  organization  to  examine  and  evaluate  its 
activities  as  a  service  to  the  organization.    The  objective  of 
internal  auditing  is  to  assist  members  of  the  organization  in  the 
effective  discharge  of  their  responsibilities.    An  internal  audit 
department  typically  functions  under  policies  established  by 
management.    A  statement  of  purpose,  authority,  and  responsi- 
bility (a  charter)  for  the  internal  audit  department  is  usually 
developed  and  approved  by  management.    The  charter  should 
make  clear  the  purposes  of  the  internal  audit  function,  specify 
the  scope  of  its  work,  and  declare  the  auditors  are  to  have  no 
authority  or  responsibility  for  the  activities  they  audit.    Finally, 
the  auditing  practices  followed  by  the  internal  audit  function 
should  be  consistent  with  accepted  audit  guidelines. 


The  Lottery  previously  had  two  audit  functions:  an  internal 
audit  function  and  an  EDP  audit  function.    In  1988  Lottery 
officials  decided  two  functions/positions  were  not  needed  and 
discontinued  the  internal  audit  position.    The  EDP  audit  position 
remained  so  computer  operations  could  continue  to  receive  an 
independent  review.    In  1990,  the  EDP  audit  function  was 
expanded  to  include  some  internal  audit  responsibilities.    As  of 
August  2,  1991,  the  Lottery's  auditor  position  became  vacant. 

We  found  the  audit  function  performed  only  limited  EDP  and 
internal  audit  work  in  terms  of  specific,  formalized  audits.    For 
example,  only  one  report  has  been  issued  by  the  internal  audit 
function  relating  to  EDP  security  since  1987,  and  most  of  the 
internal  audit  work  consisted  of  performing  the  Guaranteed 
Low-End-Prize-Structure  (GLEPS)  test  and  end-of-game 
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inventory  audits.    During  our  audit  we  identified  several  other 
issues  regarding  the  Lottery's  audit  function.    We  believe  the 
cause  of  these  concerns  is  the  continually  changing  role  of  the 
audit  function  within  the  Lottery  and  a  subsequent  lack  of 
emphasis  on  that  role.    The  following  sections  discuss  the 
specifics  of  the  issues. 


Reporting  Responsibility 
Should  Be  Changed 


The  internal  audit  function  should  report  to  an  individual 
manager  or  management  group  that  allows  independence  from 
the  operations  and  staff  being  reviewed  as  part  of  the  internal 
auditor's  work.    During  our  audit,  the  Lottery's  internal  audit 
function  reported  to  the  director  of  security  who  is  responsible 
for  Lottery  security  and  also  administers  warehouse  operations. 
Since  these  areas  are  routinely  reviewed  as  part  of  existing 
internal  audit  work,  having  the  internal  auditor  report  to  the 
director  of  security  affected  the  independence  of  the  audit 
function.    As  a  result  of  our  audit  finding.  Lottery  officials 
changed  the  reporting  structure  of  the  internal  audit  function  to 
report  to  the  Lottery  director. 


Although  Lottery  management  worked  on  a  internal  audit 
charter  for  over  a  year,  it  was  still  in  draft  stage  during  our 
audit.    Such  a  document  would  generally  explain  the  authority 
and  responsibilities  of  the  internal  audit  function  to  all  Lottery 
personnel.    For  example,  the  former  internal  auditor  indicated 
some  staff  resistance  to  review  of  Lottery  operations  outside  the 
security  department.    One  reason  for  this  resistance  was  due  to 
the  lack  of  Lottery  policies  which  authorize  the  internal  audit 
function  to  review  all  Lottery  operations.    The  Lottery  should 
finalize  its  charter  for  internal  audit,  and  use  formal  audit 
standards  such  as  those  established  by  the  Institute  of  Internal 
Auditors  as  guidelines  for  the  operation  of  the  internal  audit 
function.    Finally,  the  Lottery  should  establish  formal  policy 
specifying  the  internal  audit  function's  authority  and  role. 
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Recommendation  #9 

We  recommend  the  Lottery: 

A.  Revise  its  organizational  structure  so  the  internal 
audit  function  reports  to  the  Lottery  director; 

B.  Finalize  an  internal  audit  charter;  and, 

C.  Establish  policies  specifying  the  role  of  the  internal 
audit  function. 


Documentation  of  Audit 
Work  Inadequate 


The  internal  auditor  did  not  develop  audit  plans  prior  to 
performing  audit  work.    Audit  plans  generally  summarize  work 
to  be  done  for  presentation  to  management  so  informed 
decisions  can  be  made  on  audit  work  and  scope.    The  plans  also 
document  the  specific  audit  work  to  be  done  and  allow  for 
referencing  of  completed  work.    Additionally,  the  internal 
auditor  did  not  adequately  document  interviews,  observations, 
audit  tests,  and  conclusions. 


As  a  result  of  not  having  plans  or  other  adequate  documentation. 
Lottery  management  could  not  review  work  performed  by  the 
internal  audit  function.    Furthermore,  without  adequate 
documentation  Lottery  management  cannot  place  reliance  on 
work  performed  by  the  internal  audit  function. 

During  our  previous  security  audit  completed  in  1989,  we  also 
found  the  internal  audit  function  was  not  documenting  work.    In 
a  formal  response  the  Lottery  indicated  the  internal  audit  func- 
tion would  begin  documenting  its  work  immediately.    However, 
the  Lottery  neither  established  policy  nor  implemented 
procedures  for  documentation  of  audit  work. 

We  believe  the  development  of  audit  plans  would  provide  the 
foundation  for  development  of  a  sound  audit  approach. 
Additionally,  documentation  of  audit  work  performed  is 
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necessary  in  order  to  place  any  reliance  on  the  work  performed. 
As  a  result  of  our  audit  findings,  the  Lottery  director  indicated 
the  internal  auditor  would  develop  an  annual  audit  plan.    The 
director  also  indicated  the  internal  auditor  would  provide  better 
documentation  of  audit  work  completed. 


Recommendation  #10 

We  recommend  the  Lottery  require  adequate  documenta- 
tion of  internal  audit  work. 


Training  Should  Be 
Provided 


One  of  the  key  components  in  the  management  of  personnel  is 
the  provision  of  training  which  will  improve  or  enhance 
employees'  abilities  to  perform  their  tasks.    Training  helps 
increase  productivity/performance  and  can  improve  the  self- 
satisfaction  people  obtain  from  performing  their  jobs. 


As  part  of  our  examination  of  management  controls,  we 
reviewed  the  training  provided  to  personnel  having  security- 
related  positions.    Overall,  we  found  the  Lottery  provides  only 
minimal  training  for  all  staff.    We  more  closely  examined  the 
actual  and  potential  impact  of  the  limited  training  given  to 
security,  data  processing,  and  internal  audit  personnel.    The 
following  sections  discuss  the  training  issues  noted  regarding 
these  positions. 


Security  StafT  Training 
Should  Be  Increased 


The  Montana  Lottery  security  department  is  responsible  for  the 
security  of  the  Lottery.    Specifically,  security  staff  responsi- 
bilities are:  • 

--     evaluate  and  maintain  the  security  systems  used  to  restrict 
access  to  various  Lottery  operations; 

--     establish  and  oversee  security  procedures  relative  to  the 
various  Lottery  games; 
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—  verify  winning  ticket  claims; 
--     investigate  stolen  tickets; 

—  conduct  employee  background  checks;  and, 

--     assure  EDP  activities  are  monitored  and  restricted  to  those 
employees  requiring  computer  access. 

During  our  review  of  training  records  and  interviews  with 
security  staff,  we  noted  neither  the  director  of  security  nor  the 
Lottery  investigator  have  received  any  formal  training  specific 
to  their  security  functions  since  1987.    For  example,  the  director 
of  security  and  the  Lottery  investigator  have  not  received  any 
training  in  the  area  of  electronic  data  processing  (EDP)  security 
although  the  position  descriptions  for  both  positions  require  at 
least  a  basic  understanding  of  EDP  security. 

Since  the  Lottery  has  not  provided  EDP  security  training  to 
security  personnel,  greater  potential  exists  for  a  breach  of 
security  in  the  Lottery  computer  system.    Additionally,  by  not 
providing  EDP  security  training  to  the  director  of  security,  the 
Lottery  may  not  be  in  compliance  with  section  23-5-1013, 
MCA.    This  statute  requires  the  director  of  security  to  be  know- 
ledgeable in  computer  security.    Lottery  officials  believe  the 
security  staff  have  a  basic  understanding  of  EDP  security. 
However,  during  the  course  of  the  audit  we  found  a  number  of 
fundamental  computer  security  weaknesses.    We  believe  if 
security  personnel  had  a  better  understanding  of  EDP  security 
these  weaknesses  might  not  exist.    In  response  to  our  contention, 
the  director  of  security  indicated  he  relies  on  the  internal  audit 
function  to  answer  questions  or  provide  information  regarding 
the  Lottery's  computer  system.    However,  as  mentioned  earlier 
in  this  report,  the  internal  auditor  performed  only  limited  EDP 
audit  work.   Therefore,  the  amount  of  reliance  which  may  be 
placed  on  the  internal  auditor's  work  is  speculative. 

We  believe  a  training  plan  should  be  developed  and  implemented 
for  security  personnel.    EDP  security  training  is  available 
through  a  number  of  sources.    This  training  could  help 
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increase/improve  existing  Lottery  security  as  well  as  provide 
internal  training  resources. 


Data  Processing  StafT 
Training  Could  Be 
Improved 


The  major  data  processing  operations  of  the  Lottery  are  run  on 
a  minicomputer  called  Stratus  System  32.   Stratus  verifies 
winning  tickets,  writes  checks  to  winners,  and  collects  payments 
from  retailers  using  Electronic  Funds  Transfer  (EFT).    Data 
processing  personnel  at  the  Lottery  make  ongoing  modifications 
to  the  software  in  order  to  provide  specific  information 
requested  by  other  Lottery  departments. 


During  our  review  of  Lottery  training  records,  we  noted  data 
processing  staff  have  not  received  any  formal  training  specific 
to  the  hardware  or  software  applications  of  the  Stratus  system. 
Additionally,  training  records  revealed  the  Lottery  has  not 
established  a  formalized  training  plan  for  its  data  processing 
staff.    Interviews  with  the  data  processing  staff  indicate  training 
has  been  limited  to  reviewing  system  manuals  and  on-the-job 
training. 

As  a  result  of  data  processing  personnel  not  receiving  formal 
training,  they  may  not  be  fully  aware  of  all  the  commands 
and/or  programs  found  on  the  Stratus  system.    In  addition,  a 
lack  of  system  training  may  increase  the  time  it  takes  to 
develop,  modify,  or  maintain  operating  software  for  the  Stratus 
system,  potentially  causing  disruptions  of  Lottery  operations. 
This  in  turn  creates  a  greater  potential  for  the  security  of  the 
system  to  be  compromised. 

Formal  training  would  further  familiarize  the  data  processing 
staff  with  the  operation  of  the  Stratus  system.    This  would 
include  such  techniques  as  how  to  identify  and  make  more 
timely  corrections  and/or  modifications  in  the  system. 


Due  to  other  budget  priorities.  Lottery  officials  indicated  they 
have  been  unable  to  provide  the  necessary  training  on  the 
Stratus  system  to  data  processing  statT.    However,  Lottery 
officials  agree  this  training  should  be  provided  and  will  investi- 
gate the  most  cost-effective  way  of  providing  the  training. 
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More  Specific  Training 
Is  Necessary  For 
Internal  Audit  Duties 


A  Lottery  goal  is  to  provide  training  to  employees  to  make  them 
more  efficient.    During  our  review,  we  determined  the  internal 
auditor  had  not  received  sufficient  training  to  adequately  per- 
form the  necessary  job  duties.    A  review  of  Lottery  training 
records  indicated  no  audit-related  training  was  ever  provided  to 
the  internal  auditor.    Without  the  necessary  training,  the  auditor 
was  not  adequately  prepared  to  carry  out  the  responsibilities  of 
the  job.    Lack  of  audit-related  training  may  have  been  part  of 
the  reason  adequate  audit  documentation  was  not  maintained. 


Prior  to  the  auditor  leaving  his  position,  Lottery  officials  stated 
they  were  looking  into  various  types  of  training  available  for  the 
position.    When  training  data  is  compiled.  Lottery  officials 
indicated  they  would  determine  the  feasibility  of  the  internal 
auditor  attending  some  training  courses. 


Summary 


We  believe  employee  training  offers  management  the  oppor- 
tunity to  expand  employee  skills  and  at  the  same  time  improve 
an  organization's  operational  capabilities.    In  each  of  the  sections 
noted  above  we  have  identified  areas  where  training  could 
improve  Lottery  operations.    We  believe  the  Lottery  should 
make  every  effort  to  increase  the  training  provided  to  security- 
related  staff  in  order  to  enhance  existing  Lottery  security  and 
develop  additional  skills  for  Lottery  personnel. 


Recommendation  #11 

We  recommend  the  Lottery  develop  and  implement  appro- 
priate training  programs  for  security-related  personneL 
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Policies  and  Procedures 
Are  Incomplete 


Throughout  the  audit  we  identified  areas  where  the  Lottery  has 
not  developed  and/or  formalized  security  policies  and 
procedures.    Some  of  the  areas  where  policies  and  procedures 
could  be  developed  include: 

--     On-line  Ticket  Validation  -  The  Lottery  should  document 
the  process  of  how  winning  tickets  for  the  on-line  games 
are  to  be  validated.    The  procedures  should  include  the 
steps  for  processing  both  walk-in  and  mail-in  claims  and 
what  to  do  in  the  event  a  questionable  ticket  is  received. 

--     Retailer/Contracted  Employee  Investigations  -  The  Lottery 
conducts  background  investigations  on  all  contracted 
employees  (i.e. janitorial  firm)  and  all  retailers.    The  process 
for  conducting  these  investigations  should  be  documented. 

--     Card  Access  Back-Up  Plan  -  Because  the  card  access 
system  is  the  major  security  system  to  control  access  to 
different  areas  of  the  Lottery,  the  Lottery  should  establish  a 
formalized  back-up  plan  in  the  event  the  system  becomes 
inoperative.    This  back-up  plan  could  be  incorporated  into 
overall  security  policies  and  procedures. 

Lack  of  formal  policies  and  procedures  can  cause  inconsistencies 
in  Lottery  operations  and  could  compromise  Lottery  security. 
For  e.\ample,  background  investigations  should  be  conducted  on 
any  contracted  employees  since  they  would  generally  have  access 
to  the  Lottery  building.    Although  actual  procedures  followed  by 
security  personnel  for  conducting  investigations  on  contracted 
employees  may  be  adequate,  the  Lottery  cannot  ensure  consis- 
tency in  this  area.    Established  policies  and  procedures  provide 
specific  direction  for  new  employees  and  provide  clarification 
for  current  employees  in  conducting  their  job  duties. 

Based  on  interviews  with  Lottery  personnel,  we  found  these 
policies  and  procedures  have  not  been  developed  for  a  variety  of 
reasons.    For  example.  Lottery  officials  indicated  they  have  not 
established  policies  and  procedures  for  validating  on-line  tickets 
because  of  other  priorities  and  commitments,  such  as  imple- 
menting the  on-line  games.    We  found  other  policies  or 
procedures  have  not  been  established  due  to  an  oversight  and/or 
the  Lottery  did  not  believe  it  was  necessary  to  put  them  in 
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writing.    We  believe  the  Lottery  should  establish  written  policies 
and  procedures  for  the  areas  discussed  above. 


Recommendation  #12 

We  recommend  the  Lottery  establish  formal  policies  and 
procedures  for: 

A.  On-line  ticket  validations; 

B.  All  background  investigations  for  retailers  and 
contracted  employees;  and, 

C.  A  backup  plan  for  the  card  access  system. 
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Recommendation  #1 

We  recommend  the  Lottery  comply  with  statutory  and  internal 
security  policies  for  obtaining  and  classifying  employee 
fingerprints . 

Me  concur  with  your  recommendation.   Since  determining  that 
certain  areas  of  law  and  policy  were  not  fully  complied 
with,  action  has  been  taken  to  correct  this  problem  and 
assure  that  it  not  reoccur. 


Recommendation  #2 

We  recommend  the  Lottery: 

A.  Document  all  information  obtained  during  employee  background 
investigations;  and 

B.  Complete  the  development  of  and  implement  the  background 
investigation  checklist. 

We  concur  with  your  recommendations.   We  have  completed  and 
are  using  a  background  investigation  checklist.   When 
applicable,  this  checkljst  will  be  used  to  document  the  work 
completed  on  a  background  investigation.   When  the  form  is 
not  applicable,  investigation  activity  will  be  documented  m 
memo  form. 


Recommendation  #3 

We  recommend  the  Lottery  control  access  to  program  and  technical 
documentation  for  the  Stratus  computer  system. 

We  concur  with  your  recommendation.   The  technical 
documentation  which  was  located  in  the  office  area  has  been 
removed.   The  Montana  Lottery  is  currently  negotiating  a  new 
lease.   One  of  the  items  to  be  agreed  upon  prior  to  the 
lease  renewal  would  cause  some  doors  to  be  changed.   This 
would  reroute  traffic  between  our  office  area  and  our 
warehouse.   This  change  would  make  the  computer 
programmer /operator  area  a  more  secure  area  and  provide  for 
a  better  work  environment.   Those  manuals  (technical 
documentation)  which  were  located  in  the  programmer /operator 
area  are  now  locked  in  the  data  processing  m.anager's  office 
with  key  controls. 
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Recommendation  #4 

We  recommend  the  Lottery  maintain  the  additional  early  warning 
water  detection  device  in  the  computer  room. 

We  concur  with  your  recommendation.  An  early  warning  water 
detection  device  was  installed  in  April,  1991,  and  is  being 
maintained . 


Recommendation  #5 

We  recommend  the  Lottery  transport  all  computer  tapes  in 
protective  coverings. 

We  concur  with  your  recommendation.   A  second  tape  transport 
case  was  purchased,  and  is  in  use  for  the  purpose  of 
transporting  the  two  tapes  in  question. 


Recommendation  #6 

We  recom.m.end  the  Lottery  perform  more  detailed  data  security 
reviews  as  suggested  by  section  2-15-114,  MCA. 

We  concur  with  your  recommendation.   The  Lottery  Director 
has  instructed  the  Lottery  Security  Group  to  examine  section 
2-15-114,  MCA,  m  order  to  more  fully  comply  with  the  code, 
and  to  continually  improve  Lottery  security. 


Recommendation  #7 

We  recommend  the  Lottery  establish  the  completion  of  performance 
evaluations  as  a  management  priority. 

We  concur  with  your  recommendation.   A  great  amount  of  work 
has  been  accomplished  in  this  area  during  the  past  several 
months.   The  date  of  December  1,  1991  has  been  set  for  the 
completion  of  the  evaluation  standards. 
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Recommendation  #8 

We  recommend  the  Lottery  establish  and  implement  policies  and 
procedures  to  improve  security  department  management  information 


We  concur  with  your  recommendation.   We  will  do  an 
evaluation  of  our  needs  with  regard  to  management 
information.   This  will  be  completed  by  January  1,  1992.   At 
that  tim.e  we  will  form  the  policies  and  procedures  ne'.-essary 
tij  gather  the  needed  information.   We  will  further  delrr'tT^;  i  ne 
the  form  in  which  that  informati(-n  wil  1  be  a\^.^ilol>l'  . 


Recommendation  #9 


We  recomm.end  the  Lottery: 

A.  Revise  its  organization  structure  so  the  internal  audit 
function  reports  to  the  Lottery  Director. 

We  concur  with  your  reccm.m.endat  ion .   As  shown  on  [Jises  b     -.rv! 
8  of  this  docum.ent,  our  internal  audit  function  has  been 
moved  and  answers  to  the  Lottery  Director. 

B.  Finalize  an  internal  audit  charter. 

We  concur  with  your  recommendation.   Our  audit  charter  was 
completed  several  months  ago. 

C.  Establish  policies  specifying  the  role  of  the  internal  audit, 
function . 

We  concur  with  your  recommendation.   The  internal  auditor's 
position  description,  the  audit  charter,  and  an  annual  audit 
plan  create  the  policies  specifying  the  internal  audit 
function,  and  all  of  these  have  been  completed. 


Recommendation  #10 

We  recommend  the  Lottery  require  adequate  documentation  of 
internal  audit  work. 

We  concur  with  your  recommendation.   Our  audit  position  is 
currently  vacant.   Prior  to  the  position's  vacancy,  an 
annual  audit  plan  was  completed.   We  believe  this  is  a  start 
to  better  documenting  the  work  of  the  internal  auditor. 
Each  individual  audit  will  also  have  a  plan. 
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Recommendation  #11 

We  recommend  the  Lottery  develop  and  implement  appropriate 
training  programs  for  security-related  personnel. 

We  concur  with  your  recommendation.   We  believe  we  have 
several  areas  where  training  is  needed.   Prior  to  March, 
1992,  we  will  identify  areas  where  training  is  needed, 
locate  training  which  meets  those  needs,  and  set  a  training 
schedule . 


Recommendation  #12 

We  recommend  the  Lottery  establish  formal  policies  and  procedures 
for: 

A.  On-line  ticket  validations; 

We  concur  with  your  recommendation.   Our  on-line  ticket 
validations  policy  has  been  formalized  and  is  m  use. 

B.  All  background  investigations  for  retailers  and  contracted 
employees ; 

We  concur  with  your  recommendation.   Additions  to  our 
investigations  procedures  have  been  completed  and  are  in 
use.   They  address  retailers  and  contract  employees. 

C.  A  backup  plan  for  the  card  access  system. 

We  concur  with  your  recommendation.   Our  policy  and 
procedures  concerning  a  backup  plan  for  our  card  access 
system  has  been  formalized  and  is  in  use. 
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